darkcomet | 326db47ee21a2978df7464ec5041167561e5cd3d83827ba3918e88ec04b89dee

General

Target

JaffaCakes118_7e02507dac1589507c8ed14ec1b34a87.exe
Size

1.8MB
MD5

7e02507dac1589507c8ed14ec1b34a87
SHA1

c5085831167af29ed3cfb8476ed55d7c2d3a27df
SHA256

326db47ee21a2978df7464ec5041167561e5cd3d83827ba3918e88ec04b89dee
SHA512

316b79c9f5aa60549f0bd1621f26005746cb83a479eef9745cd52099a968205211a94802ba0f6ee588f897951dfb03b12aa34df95e0141f72c98bd47feb91655
SSDEEP

24576:f6xt9Nap1NVD/rTJ60U0C83REJcXqlWfMVIEoPHWu9p/EfpiZfdaIHDdIFrJCoJ:fm9NqPfvjqlbgb/ExO8c8B

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

nicksdcrat1.no-ip.org:82

Mutex

DC_MUTEX-QNFCFKG

Attributes

gencode
e9TV92Q1dEqq
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 1 IoCs

pid	Process
3440	WindowsUpdateApplication.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7e02507dac1589507c8ed14ec1b34a87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdateApplication.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3440	WindowsUpdateApplication.exe
Token: SeSecurityPrivilege	3440	WindowsUpdateApplication.exe
Token: SeTakeOwnershipPrivilege	3440	WindowsUpdateApplication.exe
Token: SeLoadDriverPrivilege	3440	WindowsUpdateApplication.exe
Token: SeSystemProfilePrivilege	3440	WindowsUpdateApplication.exe
Token: SeSystemtimePrivilege	3440	WindowsUpdateApplication.exe
Token: SeProfSingleProcessPrivilege	3440	WindowsUpdateApplication.exe
Token: SeIncBasePriorityPrivilege	3440	WindowsUpdateApplication.exe
Token: SeCreatePagefilePrivilege	3440	WindowsUpdateApplication.exe
Token: SeBackupPrivilege	3440	WindowsUpdateApplication.exe
Token: SeRestorePrivilege	3440	WindowsUpdateApplication.exe
Token: SeShutdownPrivilege	3440	WindowsUpdateApplication.exe
Token: SeDebugPrivilege	3440	WindowsUpdateApplication.exe
Token: SeSystemEnvironmentPrivilege	3440	WindowsUpdateApplication.exe
Token: SeChangeNotifyPrivilege	3440	WindowsUpdateApplication.exe
Token: SeRemoteShutdownPrivilege	3440	WindowsUpdateApplication.exe
Token: SeUndockPrivilege	3440	WindowsUpdateApplication.exe
Token: SeManageVolumePrivilege	3440	WindowsUpdateApplication.exe
Token: SeImpersonatePrivilege	3440	WindowsUpdateApplication.exe
Token: SeCreateGlobalPrivilege	3440	WindowsUpdateApplication.exe
Token: 33	3440	WindowsUpdateApplication.exe
Token: 34	3440	WindowsUpdateApplication.exe
Token: 35	3440	WindowsUpdateApplication.exe
Token: 36	3440	WindowsUpdateApplication.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3440	WindowsUpdateApplication.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 3440	1556	JaffaCakes118_7e02507dac1589507c8ed14ec1b34a87.exe	89
PID 1556 wrote to memory of 3440	1556	JaffaCakes118_7e02507dac1589507c8ed14ec1b34a87.exe	89
PID 1556 wrote to memory of 3440	1556	JaffaCakes118_7e02507dac1589507c8ed14ec1b34a87.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e02507dac1589507c8ed14ec1b34a87.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e02507dac1589507c8ed14ec1b34a87.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdateApplication.exe
  C:\Users\Admin\AppData\Local\Temp\\WindowsUpdateApplication.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsUpdateApplication.exe

Filesize
660KB

MD5
9a53ecbc7473dde8e7fd52359e83d5f0

SHA1
77b929a5995100a222bcba8b880a7ac6734762f2

SHA256
53d8db03d4d5616a02e71e602de4b727f70464f9bfdf602630e301491edb9c18

SHA512
965cda78fe779accdeedec14c37dd0bb5195f73c3bcf5b3c854b61319f5ea0475003765117aa43ece64ee6fefc721cde01c7f64cb2eeb92d028ff8360096f107

Download Submit
memory/1556-15-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/1556-1-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/1556-2-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/1556-3-0x00000000025C0000-0x00000000025C6000-memory.dmp

Filesize
24KB

Download
memory/1556-4-0x0000000004C40000-0x0000000004CDC000-memory.dmp

Filesize
624KB

Download
memory/1556-5-0x00000000054B0000-0x0000000005A54000-memory.dmp

Filesize
5.6MB

Download
memory/1556-6-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/1556-7-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/1556-8-0x0000000005130000-0x0000000005186000-memory.dmp

Filesize
344KB

Download
memory/1556-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/3440-16-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-22-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-17-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-18-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-19-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-20-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-21-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-13-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3440-23-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-24-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-25-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-26-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-27-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-28-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3440-29-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing